• twitter image
  • facebook image
  • youtube image
  • linkedin image
Language: CMS Made Simple Czech CMS Made Simple France CMS Made Simple Hungary CMS Made Simple Russia CMS Made Simple Netherlands

All times are UTC




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: [solved] Cross-site scripting (XSS) vulnerability
PostPosted: Tue Dec 10, 2013 8:53 am 
Offline
Forum Members
Forum Members

Joined: Tue Apr 02, 2013 1:15 pm
Posts: 23
Location: 's-Hertogenbosch
Hello there.
https://twitter.com/cvebot/status/410119215170195456

I just found a tweet on that shows a possible vulnerability in cmsms 1.11.9.

I'm posting it here so, you can check it out and respond if necessary


Last edited by brutusmaximus on Tue Dec 10, 2013 7:37 pm, edited 1 time in total.

Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Cross-site scripting (XSS) vulnerability
PostPosted: Tue Dec 10, 2013 3:29 pm 
Offline
Dev Team Member
Dev Team Member
User avatar

Joined: Tue Oct 19, 2004 6:44 pm
Posts: 7955
Location: Fernie British Columbia, Canada
FYI.

We do not consider these issues (and there are more than one) to be serious. In fact in our opinion they are very minor bugs.

Essentially, the issue is/issues are that a logged in, authenticated administrator can inject some javascript into various fields (such as the handler name of an event handler, or the stylesheet name, or various other fields that can result in an XSS attack emanating from your website and going to other authorized editors.

The reasons we consider this stuff to be very minor issues are:
a: The user has to be a logged in, authenticated and trusted administrator with
appropriate permission (the issues reported so far are not privilege escalation, or methods of bypassing security).
b: The user has to intentionally attack the site with a script that simulates the login, session and cookie process to inject crap into various fields of an item that he is allowed to edit. To our knowledge this can't be accidental, or easy behavior.
c: By the nature of CMSMS, adding HTML and javascript to the website is one of the lower level permissions. This gives editors the capability to potentially insert public XSS attacks directly in the content of a website. It is a minor problem if trusted content editors or administrators can attack the very website they have permission to edit.

It is kind of like this analogy: "If you give the keys of your car to somebody with permission to drive it to the store....they could also drive it anywhere".

If you can't trust your content editors or administrators to not attack your site, then don't give them access at all.

Numerous people have reported these various issues to the development team before. We have reviewed them, and came to the conclusion that for the reasons above we would not make interrupting our plans, fixing these issues, testing, and releasing the fixes a priority. We consider these issues to be minor 'bugs' and we have bigger fish to fry.

To pre-emptively answer the "But they should be fixed" statement that somebody will certainly make. We state finally: We have analyzed the issues and have determined that unless we are missing something obvious, we consider the issues to be very minor and that the stuff we are working on for 2.0 or almost any other bug is more important. Given a thousand code monkeys, we probably still wouldn't fix these issues until such time as we had to revisit that code for another reason anyways.

_________________
Follow me on twitter
Please post system information from "Extensions >> System Information" (there is a bbcode option) on all posts asking for assistance.
--------------------
If you can't bother explaining your problem well, you shouldn't expect much in the way of assistance.


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
 Post subject: Re: Cross-site scripting (XSS) vulnerability
PostPosted: Tue Dec 10, 2013 7:35 pm 
Offline
Forum Members
Forum Members

Joined: Tue Apr 02, 2013 1:15 pm
Posts: 23
Location: 's-Hertogenbosch
Wow thanks for the given statement and quick reply.

No further questions. Good luck with the development of version 2.0


Top
  Profile  
 
Share On:
Share on Facebook Share on Twitter Share on Google+
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
A2 Hosting